Using IAM with DynamoDB global tables - Amazon DynamoDB
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using IAM with DynamoDB global tables

When you create a global table for the first time, Amazon DynamoDB automatically creates an Amazon Identity and Access Management (IAM) service-linked role for you. This role is named AWSServiceRoleForDynamoDBReplication, and it allows DynamoDB to manage cross-Region replication for global tables on your behalf. Don't delete this service-linked role. If you do, all of your global tables will no longer function.

For more information about service-linked roles, see Using service-linked roles in the IAM User Guide.

To create replica tables in DynamoDB, you must have the following permissions in the source region.

  • dynamodb:UpdateTable

To create replica tables in DynamoDB, you must have the following permissions in destination regions.

  • dynamodb:CreateTable

  • dynamodb:CreateTableReplica

  • dynamodb:Scan

  • dynamodb:Query

  • dynamodb:UpdateItem

  • dynamodb:PutItem

  • dynamodb:GetItem

  • dynamodb:DeleteItem

  • dynamodb:BatchWriteItem

To delete replica tables in DynamoDB, you must have the following permissions in the destination regions.

  • dynamodb:DeleteTable

  • dynamodb:DeleteTableReplica

To update replica auto scaling policy through UpdateTableReplicaAutoScaling, you must have the following permissions in all Regions where table replicas exist

  • application-autoscaling:DeleteScalingPolicy

  • application-autoscaling:DeleteScheduledAction

  • application-autoscaling:DeregisterScalableTarget

  • application-autoscaling:DescribeScalableTargets

  • application-autoscaling:DescribeScalingActivities

  • application-autoscaling:DescribeScalingPolicies

  • application-autoscaling:DescribeScheduledActions

  • application-autoscaling:PutScalingPolicy

  • application-autoscaling:PutScheduledAction

  • application-autoscaling:RegisterScalableTarget

To use UpdateTimeToLive you must have permission for dynamodb:UpdateTimeToLive in all Regions where table replicas exist.

Example: Add replica

The following IAM policy grants permissions to allow you to add replicas to a global table.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "dynamodb:CreateTable", "dynamodb:DescribeTable", "dynamodb:UpdateTable", "dynamodb:CreateTableReplica", "iam:CreateServiceLinkedRole" ], "Resource": "*" } ] }

Example: Update AutoScaling policy

The following IAM policy grants permissions to allow you to update replica auto scaling policy.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "application-autoscaling:RegisterScalableTarget", "application-autoscaling:DeleteScheduledAction", "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DescribeScalingActivities", "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:PutScalingPolicy", "application-autoscaling:DescribeScheduledActions", "application-autoscaling:DeleteScalingPolicy", "application-autoscaling:PutScheduledAction", "application-autoscaling:DeregisterScalableTarget" ], "Resource": "*" } ] }

Example: Allow replica creations for a specific table name and regions

The following IAM policy grants permissions to allow table and replica creation for Customers table with replicas in three Regions.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "dynamodb:CreateTable", "dynamodb:DescribeTable", "dynamodb:UpdateTable" ], "Resource": [ "arn:aws:dynamodb:us-east-1:123456789012:table/Customers", "arn:aws:dynamodb:us-west-1:123456789012:table/Customers", "arn:aws:dynamodb:eu-east-2:123456789012:table/Customers" ] } ] }